1. Security
  2. Security Features
  3. Configuring and Using OpenAir Integrations and Add-on Services
  4. Add-on Services — Security Considerations

Add-on Services — Security Considerations

This section addresses some general principles applicable to all add-on services application as well as specific considerations for individual applications.

General principles

Some general principles apply to all OpenAir add-on applications:

Keep software up to date

OpenAir releases new versions of currently supported add-on applications from time to time. Download and install the new versions when they become available to take advantage of security updates as well as software fixes, new features and other product enhancements.

Important:

You should exercise appropriate responsibility and perform regression testing for business-critical applications away from your production environment before upgrading.

Always test new versions of OpenAir Integration Manager in a sandbox environment before upgrading. In particular, test any shortcuts you may have created for processes such as accounting system integrations to verify that they run correctly under the new version of OpenAir Integration Manager.

Service changes impacting infrastructure are communicated to all OpenAir customers. Such service changes may include discontinued development / support and end-of-life for add-on applications. Discuss these changes with your technical teams as they arise to assess the implications and prepare for the change.

Download only from trusted OpenAir sources

Download OpenAir add-on applications only from the following sources:

  • In OpenAir, go to Administration > Global Settings > Add-on Services.

  • Go to the App Store on an iPhone or Play Store on an Android mobile device.

  • Use links provided by OpenAir Customer Support, OpenAir Professional Services or in OpenAir documentation.

Follow the principle of least privilege

Access to OpenAir add-on services should be granted on a needs basis. Allow users to accomplish their task using the lowest privileges. For example, you may grant users rights to use OpenAir Mobile applications for time or expenses entry, but grant access to OpenAir Projects Connector to Project Managers only. Other add-on services such as OpenAir Integration Manager should be restricted to trained individual users only.

In OpenAir, go to Administration > Global Settings > Users > Employees > [Select an Employee ID] > Access Control > Exchange Access. to grant or revoke access to an add-on service.

The mention “Not approved for download” appears above the download link in Administration > Global Settings > Account > Integration: Add-on Services if the user has not been granted access to that application. Users can still download and install the application. However, they will not be able to set up and use the application using their OpenAir credentials. See Access Control Overview.

Note:

OpenAir Exchange Manager requires Administrator credentials. Access cannot be granted to other users and the application is not listed in the Access Control settings for individual users.

Connection Settings

All add-on applications need to be configured to connect with your OpenAir account to enable the exchange of data.

The connection settings include:

  • Server — Enter the URL for your OpenAir account. The server URL includes the domain name for your OpenAir account <account-domain>. For more information about your account-specific domain name, see Your OpenAir Account URLs.

    Important:

    Make sure you connect to your OpenAir account over a secure layer using the HTTPS protocol. OpenAir uses the industry standard Transport Layer Security (TLS) protocol to encrypt communication between the OpenAir server and add-on applications, and to ensure the security of the data transferred.

  • User credentials (Company ID, User ID and Password) — The application will connect successfully to OpenAir only if the user has the relevant access rights allowing them to use the application to access OpenAir data. See Follow the principle of least privilege.

  • Remember Password — This option is disabled by default. If enabled, the password will be stored on the device and encrypted using industry standard security measures.

    Important:

    Make sure you have appropriate security policies in place around physical access to devices. If the Remember Password is enabled, anyone with access to your unlocked device will be able to access your Oracle Service account using your Device; a person having access will be able to view, add, and edit information in your Oracle Service account. As a precaution, you should always utilize a passcode lock on your device and change your password regularly. If your device is lost or stolen, you must immediately report the incident to your Oracle account administrator and change your Oracle Service password. By enabling the Remember Password option, you accept full responsibility for any losses and/or damages, and you agree not to hold Oracle or its affiliates liable for any losses and/or damages resulting from saving your password and/or session information.

OpenAir Access Control

The access control mechanisms configured for the OpenAir web application also apply to add-on service applications. The features and data available depend on a variety of factors such as user settings, role privileges, form permissions and filter sets.

OpenAir Exchange Manager

See Exchange Integration Manager for more information about configuring and using OpenAir Exchange Manager for the integration.

Specific considerations include:

  • Access cannot be granted to users other than account administrators. OpenAir Exchange Manager is not listed in the Access Control settings for individual users.

  • Configuring the OpenAir MS Exchange integration requires Administrator roles for OpenAir, the Active Directory Domain and MS Exchange Server.

  • After OpenAir Exchange Manager is set up, any domain user with read/write access to all users exchange folders can run OpenAir Exchange Engine.

  • When configuring access to MS Exchange server - Integration Settings > Exchange Access:

    • Only enable the Use http option if the integration is local to the Exchange Server and the Exchange Server is not setup to accept HTTPS traffic.

    • Check the Override SSL Exceptions box if the SSL certificate is not signed, or if the domain name used by the integration does not match the domain in the SSL certificate. Again, only enable if the integration is local to the Exchange Server.

OpenAir Integration Manager

See Integration Manager for more information about configuring and using OpenAir Integration Manager.

Specific considerations include:

  • Only users who have received training on using OpenAir Integration Manager should have access to the integration. Having an understanding of the OpenAir application and how its database is structured is critical.

  • OpenAir Professional Services provide you with a link for downloading OpenAir Integration Manager after you have attended the relevant training.

  • Windows user must have full access privileges to the OpenAir Integration Manager installation folder (typically C:\Program Files(x86)\OpenAir\IntegrationManager).

  • OpenAir Integration Manager does not support a multi-user setup. The application and Integration Manager shortcuts should be installed, created and launched using the same single Windows account. Running OpenAir Integration Manager from different Windows user accounts can lead to inconsistent application behavior.

  • When uninstalling the application, delete the OpenAir Integration Manager installation folder manually to delete the mapping data.

OpenAir OffLine

See OffLine for more information about configuring and using OpenAir OffLine.

Specific considerations include:

  • Access to OpenAir OffLine is granted in the Access Control settings for individual users.

  • Users access rights and privileges are governed by the access control mechanisms configured in the web application.

  • When uninstalling the application, delete the OpenAir OffLine installation folder (typically C:\Program Files(x86)\OpenAir\OffLine) manually to delete the mapping data.

OpenAir Projects Connector

See Projects Connector for more information about configuring and using OpenAir Projects Connector.

Access to OpenAir Projects Connector is granted in the Access Control settings for individual users.

OpenAir Mobile

Refer to OpenAir Mobile 3 User Guide for more information about configuring and using OpenAir Mobile.

Specific considerations include:

  • Access to OpenAir Mobile (Android) or OpenAir Mobile (iPhone) is granted in the Access Control settings for individual users.

  • OpenAir Mobile uses the OAuth 2.0 authorization framework to access OpenAir data. Users authorize access by signing in to OpenAir on their mobile browser. The OpenAir sign-in page was redesigned and adapted for mobile devices, and users can use biometric authentication if enabled on their device.

    OAuth 2.0 supports the following authentication mechanisms:

    • Password Authentication by OpenAir — Employees use their OpenAir credentials (company ID, username and password) to connect OpenAir Mobile to OpenAir.

    • SAML Authentication — If SAML authentication is enabled for your account, you can enable employees to sign in using one of the following methods:

      • Service Provider initiated Single Sign-on (SP-initiated SSO).

      • Identity Provider initiated Single Sign-on (IdP-initiated SSO). Users need to close the OpenAir Mobile application and launch OpenAir from their company SSO page before they can access OpenAir Mobile.

  • If you use the IP Restriction optional feature to restrict access to the OpenAir account to specific IP addresses, the IP address of the user's device must be in the IP address allowlist for this user for OpenAir Mobile to exchange information with your OpenAir account. If the IP address changes and the new IP address is not in the IP address allowlist for the user, the OpenAir Mobile app can no longer exchange information with your OpenAir account. The OAuth 2.0 access and refresh tokens become invalid at the first attempt to exchange information with your OpenAir account, when the user saves changes or runs the synchronization manually. OpenAir Mobile 4.4.2 or later version shows an error message. Previous versions of the app initiate the authorization process without error message. The user must ensure that the device IP address is authorized before connecting OpenAir Mobile again with your OpenAir account.

  • Privileges enabling users to approve timesheets and expenses using OpenAir Mobile apps are granted in the Employee Demographic form in OpenAir.

    Go to Administration > Global Settings > Users > Employees > [Select an Employee ID] > Demographic and select as applicable:

    • Enable Approval on mobile for Timesheets (under Timesheets Options)

    • Enable Approval on mobile for Expenses (under Expenses Options)

  • Role permissions, form permissions and permission rules defined in OpenAir by account administrators are also enforced in OpenAir Mobile. However, note that for Timesheets, only permission rules and form default values for the main entity form are supported. Permission rules and form default values for the time entry form are not supported.

  • Access to Timesheets and Expenses can be disabled separately for mobile applications and the web interface. Contact OpenAir Customer Support and ask for the Disable Timesheets on Mobile apps or Disable Expenses on Mobile apps internal switches.

  • OpenAir uses the industry standard Transport Layer Security (TLS) protocol to encrypt communication between the OpenAir server and the OpenAir Mobile app on your device, and to ensure the security of the data transferred.

  • OpenAir Mobile stores data locally on your device. Only the data relevant to the authenticated employees timesheets and expenses is stored. The app always encrypts your data with industry standard encryption.